JVN#05508012
EXIF Viewer Classic vulnerable to cross-site scripting
Overview
EXIF Viewer Classic provided by Rodrigue (former Kakera) contains a cross-site scripting vulnerability.
Products Affected
- EXIF Viewer Classic versions 2.4.0 and prior
Description
EXIF Viewer Classic provided by Rodrigue (former Kakera) is a Google Chrome browser extension.
The affected versions of the product improperly handle EXIF meta data, resulting in a cross-site scripting vulnerability (CWE-79).
Versions 2.3.2 and 2.4.0 were reported as vulnerable. The vendor informs us that the product has been refactored after those old versions and that the current version 3.0.1 is not vulnerable.
Impact
When an image is rendered and crafted EXIF meta data is processed, an arbitrary script may be executed on the web browser.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Rodrigue | EXIF Viewer Classic - Chrome Web Store |
| EXIF Viewer |
References
JPCERT/CC Addendum
The vendor was in "the list of unreachable developers" for some years.
The communication was established recently and we reached to the agreement to publish this JVN.
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. and Kouhei Morita reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-23362 |
| JVN iPedia |
JVNDB-2025-000005 |